There are two different approaches to analyzing events to detect attacks: signature-based detection and anomaly detection.

Signature-Based Detection. This approach identifies events or sets of events that match with a predefined pattern of events that describe a known attack. These patterns are called signatures. Signatures may include system states, or accessingsystem areas that have been explicitly identified as “off-limits.”

Anomaly Detection. Anomaly detection assumes that all intrusive activities deviate from the norm. These tools typically establish a normal activity profile and then maintain a current activity profile of a system. When the two profiles vary by statistically significant amounts, an intrusion attempt is assumed.